I am trying to understand how to create a mailbox once an account is created directly on Entra ID. Regarding the on-prem Exchange part, I know this can be addressed through the ConnectorAfterCreate rule according to the logic presented here: Before and After Rule Operations.
However, I need help understanding the process for creating a mailbox on Exchange Online of Entra ID. Could someone provide examples or explain the process?
I remain available for any further details on this matter.
Hi all,
thank you for the feedback provided. If I understood correctly, is it sufficient to assign the appropriate group (and not the license***) to Entra ID account through ISC? Is this interpretation of the response provided correct?
Hi @psalat8887100 - The Mailbox is provisioned when the license is assigned. The license can be assigned either directly on the user or (preferably, as in your case) on a group. ISC should then be able to add the user to the group.
as we discussed some days ago, it is clear to me that in order to create a mailbox on Exchange Online in Entra ID, it is sufficient to assign the appropriate group to the Entra ID account through ISC, as the license is managed on the Entra ID side through group-based licensing.
Note: “After you create a new mailbox using Exchange Online PowerShell, you have to assign it an Exchange Online license or it will be disabled when the 30-day grace period ends.”
At this point, I would like to ask the following:
if the step mentioned in the note, i.e., “[…] create a new mailbox using Exchange Online PowerShell […]” is also a task that I need to perform through ISC; and if so, what are the technical steps to achieve this or if it continues to be sufficient and the responsibility of ISC to only handle the part “[…] you have to assign it an Exchange Online license […]” as we discussed.
You will have Exchange license (E3 or E5) which is managed through Group Membership typically.
Once you add a user to that group, user will get the exchange license automatically.
Once user get the license, it will sync to Exchange Online (EXO), user mailbox is created automatically.
It is totally depend on your organization EXO setup if any PowerShell commands need to be executed, if yes then you can use Native Rule (Connector After Create Rule) which will be executed after an account is created.
This Connector After Create Rule will trigger a PowerShell script you can setup in IQ Service component. You can check if the request is having EXO license Groups, then you can execute EXO PowerShell commands.
Hi Paulo. The best way to think about it is to re-assess the MS note - when it says “after you create the mailbox using powershell”, think of it as “if you have created the mailbox with powershell”. You don’t need to create the mailbox with powershell if you assign an EXO license to an Entra user, it will be created automatically.
Thank you again for the suggestions provided so far! I would like to share with you the current context and describe a possible test we intend to run in customer’s sandbox ennvironment to implement the suggestions and to understand if this makes sense according to the suggestion you gave to me in the previous reply:
Current Context:
We currently have an on-prem Active Directory (AD) source synchronized with Entra ID. The attributes we already provision for account creation include:
If there are any other missing attributes that need to be set as specific prerequisites, please let me know.
Test Description:
Create a new external user on a NELM source.
Assign entitlements to the user via an Access Profile. By doing so, the Active Directory account is created, provisioning the attributes listed in the “Current Context.” This account will then be synchronized to Entra ID via AD Connect.
Wait for synchronization between the Active Directory and Entra ID.
Aggregate the accounts from the source Entra ID to verify that it has been correctly created
Manually assign the license through an Access Profile.
Aggregate the Entra ID source to verify that the mailbox has been correctly created
To verify the actual creation of the mailbox, it would be useful to access the user’s mailbox at https://outlook.office.com.
Key Question:
Does the proposed test make sense, or are there additional attributes that need to be provisioned on the Active Directory account to ensure the steps in the “Test Description” work correctly?
Hi @j_place and developer community,
in summary, the goal we want to achieve is the following: to fully manage hybrid users and their mailboxes exclusively through Exchange Online, eliminating the need to use on-premises Exchange.
Currently, we are using SailPoint IdentityNow to provision users on a Source of type Active Directory - Direct, with subsequent automatic synchronization to Entra ID via Azure AD Connect.
We would like to ask for your guidance on the best practices to follow in such a scenario. Mailbox creation/management seems to necessarily require the execution of the PowerShell Enable-RemoteMailbox command on the on-premises Exchange environment. We would like to understand if it is possible to completely exclude the on-prem Exchange and manage the mailbox directly through Exchange Online by assigning the appropriate groups/licenses from ISC as entitlements in Entra ID to AD Connect synched users.
We would greatly appreciate your insights and any recommendations you may have.
Hi Paulo - if you run a cloud native Exchange Online with a hybrid AD then all you need to do (as was said above) is assign the license in Entra.
enable-remoteMailbox powershell is only required for hybrid Exchange environments.
The mail attribute in AD will be used as the primary email address for the mailbox in EXO, where it will also create an email alias for the UPN in Entra (if it is different) and an email alias for <mailNickname>@<default entra domain> (if this is different).
Have you attempted this and run into any problems?
Created an account on Active Directory and waited for it to sync with Entra ID.
Assigned the entitlement related to the Office 365 license on Entra ID (EXO).
Unfortunately, we encountered the following error:
[“Provisioning failed for f852275f-664b-4e0e-8741-af2cebeda72b. Entitlement ID: 326b88d9-e1b2-4b90-9a04-82ee7a28b080 .Response Code - 400 Error - Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.”]
It seems that the entitlement we are assigning is already being used in synchronization, which is causing the provisioning failure. At this point, what is the best approach to overcome this error?
Hi Paolo - it sounds like you are trying to add the user to the Entra group using Entra tools, however the group is an on-prem synchronised group. If this is your situation, either add the user to the on-prem group, or create a new native Entra group for licensing.
